Http links in nixpkgs

Development
21

Initial PR opened with 464 changes! Bulk replace `http://` with `https://` by lisanna-dettwyler · Pull Request #496560 · NixOS/nixpkgs · GitHub

Looks like there was a bug in my script that could cause invalid replacements to be accepted. There’s a short explanation in the PR. I’ve adjusted it to the following and am regenerating it.

#! /usr/bin/env bash

set -e

trap exit SIGINT

while read -r line; do
    attrPath=$(echo "$line" | jq -r '.attrPath | join(".")')
    echo
    position=$(echo "$line" | jq -r .extraValue.position)
    position=${position%:*}
    position=${position#/nix/store/*-source/}
    echo "PROCESSING $attrPath in $position"
    parent=$(dirname "$position")
    if ! nix build .#${attrPath}.src; then
        continue
    fi
    for f in $(find "$parent" -type f); do
        sed -i 's/url = "http:/url = "https:/g' "$f"
    done
    if ! git diff --exit-code; then
        if nix build .#${attrPath}.src --rebuild; then
            git add "$parent"
            git commit -s -m "$attrPath: use https for sources"
        else
            git stash
        fi
    fi
done < only-http.txt
1 Like
22

Confidentiality. Someone observing your traffic might easily see what software makes up your systems (including hints for e.g. outdated/vulnerable versions).

Availability: Hashes are verified after stuff has been downloaded. With http downloads an attacker might selectively disturb or delay downloading for specific software.

Integrity: Hashes in Nixpkgs are often updated using a TOFU-approach. https is actually a slight improvement here (but still no replacement for checking e.g. signatures from upstream).

Granted, this might exceed the threat model of the average Nix user, but unifying to https/following a https-first approach is not a bad idea.

3 Likes
23

There were some false positives, because it turns out fetchurl will as a last resort try tarballs.nixos.org. So just replacing the URL and running nix build --rebuild .#package.src isn’t reliable. At the suggestion of one of the reviewers I put together a script which yanked the hashes from these packages and tried to build them that way. I then manually tested each package marked as a possible false positive and dropped the ones with actually broken links. Latest update to the PR has at least 314 replacements!

1 Like
24

Side-note on this: this is also why configuring substituter is highly privileged as you disclose to the substituter what software versions you’re running.

Hence I’m super not hype about configuring any substituter but cache.nixos.org

25

Not exactly the worst thing a substituter can do.